BleepingComputer.com: Computer Crashing at Start-Up

Nothing too exciting seemingly, but here it is. Will get on trying the other steps ASAP...

"Scan ""Scan whole computer"" was finished."
"Warnings";"5";"5";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Thursday, November 19, 2009, 3:41:16 PM"
"Scan finished:";"Thursday, November 19, 2009, 4:53:01 PM (1 hour(s) 11 minute(s) 45 second(s))"
"Total object scanned:";"419613"
"User who launched the scan:";"BKALASIN"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\BKALASIN\Cookies\bkalasin@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\BKALASIN\Cookies\bkalasin@revsci[2].txt:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\BKALASIN\Cookies\bkalasin@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\BKALASIN\Cookies\bkalasin@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\BKALASIN\Cookies\bkalasin@revsci[2].txt";"Found Tracking cookie.Revsci";"Healed"

Please test as much of the system as you can think of ... and I note some specific things to try ...
1. Can you start the system in Safe Mode?
2. Can you create a Restore Point? (You tried earlier and could not.)
3. Can you use all the search facilities on your browser without witnessing any redirections?
4. Can you use the Windows Help and Support link?
Start > Help and Support
5. Can you open
Start > Control Panel > System > Hardware > Device Manager ?
6. Can you open
Start > Control Panel > Add or Remove Programs ?

Computer seems to be running as well as ever considering it's age and type...
1. Computer does now go into safe mode.
2. Still unable to create a restore point in either normal or safe mode. Get the following error message: "System restore has been turned off by group policy. To turn on system restore, contact your domain administrator".
3. Internet seems to be running fine. No redirection to any sites shady or otherwise.
4. Windows "Help and Support" does load.
5. "Device manager" does open.
6. "Add or remove programs" does open.

Five tracking cookies! You're right, this is not exciting.
But it is all looking good for your computer.

I would like you to run ATF Cleaner to remove some clutter from the system and then run SUPERAntiSpyware (SAS).
Please follow the instructions provided here, in post #2 by boopme
http://www.bleepingcomputer.com/forums/ind...t&p=1505047

Do you know, or is there any way you can find out, whether System Restore is disabled by your employer/employer's IT staff?
Otherwise/most likely? it has been disabled by malware and should be repaired/enabled and ON.

Ran ATF, and currently running SUPER in Safe Mode as per link instructions.

No threats detected yet, but it looks like SUPER scans pretty slowly so it may be a while...

FranklenStein, on Nov 20 2009, 01:47 PM, said:

When the SUPER scan is complete ... here is something else to be getting on with ...

In your first post you said: "ran Malwarebytes which tracked down 8 infections (5 or so were Rootkit things I believe)"
Based on the above, we should probably run a quick check for rootkits before we declare this computer to be "clean".

I would like you to follow the instructions provided in post #7 by garmanma and complete steps 1 and 2 and post the results.
http://www.bleepingcomputer.com/forums/ind...t&p=1474867

Will do. Also, spoke with my supervisor (who is something of an amateur computer tinkerer himself) who stated that he is fairly sure that the IT folks do put some sort of administrative safeguard on company laptops to ensure employees don't do too many ill-advised alterations. He believes that this is what is causing me to be unable to set a restore point.

FranklenStein, on Nov 20 2009, 02:16 PM, said:

That caused me to chuckle: I am glad we didn't need to make any alterations in that case!!!!

Whether you want to accept the System Restore situation as it is, or not, is up to you. I won't push it any further.

AustrAlien, on Nov 19 2009, 10:23 PM, said:

I thought that was pretty funny too. I'm game for anything at this point to ensure that I can avoid a similar computer crash-and-burn...

AustrAlien, on Nov 19 2009, 09:57 PM, said:

SUPER scan completed finally. "No harmful software was detected", but I'll past the result anyway. On to the next step...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/19/2009 at 10:22 PM

Application Version : 4.30.1004

Core Rules Database Version : 4295
Trace Rules Database Version: 2166

Scan type : Complete Scan
Total Scan Time : 02:49:23

Memory items scanned : 257
Memory threats detected : 0
Registry items scanned : 5619
Registry threats detected : 0
File items scanned : 50454
File threats detected : 0

Hmm...ran Win32kDiag but got lots of "cannot access" messages so don't know how useful this is going to be (Note: the 'AALSEDEK' refers to the IT master that sets up the company computers). Pressing on...

Running from: C:\Documents and Settings\BKALASIN\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\BKALASIN\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\novell\nici\AALSEDEK\XMGRCFG.KS2

[1] 2009-01-16 09:59:34 3948 C:\WINDOWS\system32\novell\nici\AALSEDEK\XMGRCFG.KS2 ()

[1] 2009-01-16 09:02:08 3948 C:\WINDOWS\system32\novell\nici\Administrator\XMGRCFG.KS2 ()

[1] 2009-03-02 14:09:40 3948 C:\WINDOWS\system32\novell\nici\BKALASIN\XMGRCFG.KS2 ()

[1] 2009-01-16 07:02:21 3948 C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2 ()



Cannot access: C:\WINDOWS\system32\novell\nici\AALSEDEK\XMGRCFG.KS3

[1] 2009-02-26 13:33:13 268 C:\WINDOWS\system32\novell\nici\AALSEDEK\XMGRCFG.KS3 ()

[1] 2009-01-16 09:02:09 267 C:\WINDOWS\system32\novell\nici\Administrator\XMGRCFG.KS3 ()

[1] 2009-03-02 14:09:45 267 C:\WINDOWS\system32\novell\nici\BKALASIN\XMGRCFG.KS3 ()

[1] 2009-11-19 10:06:44 268 C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3 ()



Cannot access: C:\WINDOWS\system32\novell\nici\Administrator\XMGRCFG.KS2

[1] 2009-01-16 09:59:34 3948 C:\WINDOWS\system32\novell\nici\AALSEDEK\XMGRCFG.KS2 ()

[1] 2009-01-16 09:02:08 3948 C:\WINDOWS\system32\novell\nici\Administrator\XMGRCFG.KS2 ()

[1] 2009-03-02 14:09:40 3948 C:\WINDOWS\system32\novell\nici\BKALASIN\XMGRCFG.KS2 ()

[1] 2009-01-16 07:02:21 3948 C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2 ()



Cannot access: C:\WINDOWS\system32\novell\nici\Administrator\XMGRCFG.KS3

[1] 2009-02-26 13:33:13 268 C:\WINDOWS\system32\novell\nici\AALSEDEK\XMGRCFG.KS3 ()

[1] 2009-01-16 09:02:09 267 C:\WINDOWS\system32\novell\nici\Administrator\XMGRCFG.KS3 ()

[1] 2009-03-02 14:09:45 267 C:\WINDOWS\system32\novell\nici\BKALASIN\XMGRCFG.KS3 ()

[1] 2009-11-19 10:06:44 268 C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3 ()



Cannot access: C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2

[1] 2009-01-16 09:59:34 3948 C:\WINDOWS\system32\novell\nici\AALSEDEK\XMGRCFG.KS2 ()

[1] 2009-01-16 09:02:08 3948 C:\WINDOWS\system32\novell\nici\Administrator\XMGRCFG.KS2 ()

[1] 2009-03-02 14:09:40 3948 C:\WINDOWS\system32\novell\nici\BKALASIN\XMGRCFG.KS2 ()

[1] 2009-01-16 07:02:21 3948 C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2 ()



Cannot access: C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3

[1] 2009-02-26 13:33:13 268 C:\WINDOWS\system32\novell\nici\AALSEDEK\XMGRCFG.KS3 ()

[1] 2009-01-16 09:02:09 267 C:\WINDOWS\system32\novell\nici\Administrator\XMGRCFG.KS3 ()

[1] 2009-03-02 14:09:45 267 C:\WINDOWS\system32\novell\nici\BKALASIN\XMGRCFG.KS3 ()

[1] 2009-11-19 10:06:44 268 C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3 ()





Finished!



UPDATE: Not pressing on. Can't run the "cmd" command. Get a denial saying "The command prompt has been disabled by the administrator". Should I try to get the admin password so I can try these again?

This post has been edited by FranklenStein: 20 November 2009 - 01:30 AM